Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
MISC.2
Economic Commission for Europe
Committee on Trade
Centre for Trade Facilitation and Electronic Business
Nineteenth session
Geneva, 5-7 June 2013
Item 3 of the provisional agenda
Bureau overview of developments
Follow-up to decision 12-11: issues concerning a possible framework for the governance of digital signature interoperability standards and recommendations
Submitted by the UN/CEFACT Bureau for information
Summary
This informal note for information follows up on Decision 12-11 of the eighteenth
session of the UN/CEFACT Plenary. It addresses issues concerning a possible
framework for the governance of digital signature interoperability standards and
recommendations. As requested by the Plenary, it has been prepared by the Vice-Chair
with Programme Development Area responsibilities for Methodology and Technology.
United Nations ECE/TRADE/C/CEFACT/2013/MISC.2
Economic and Social Council Distr.: General
17 May 2013
Original: English
ECE/TRADE/C/CEFACT/2013/MISC.2
2
Contents
Page
I. Introduction ...................................................................................................................................... 3
II. Scope ......................................................................................................................................... 3
III. Terminology ..................................................................................................................................... 4
IV. Digital signature interoperability ...................................................................................................... 5
A. Legal and cross-border recognition ......................................................................................... 6
B. Business process and semantics ............................................................................................... 9
C. Technical recognition .............................................................................................................. 11
Annex I
European digital signature standardization framework .................................................................... 13
Annex II
How UN/CEFACT addresses the business requirements
for trusted electronic data exchange of trade documents.................................................................. 14
ECE/TRADE/C/CEFACT/2013/MISC.2
3
I. Introduction
1. This informal note is submitted to the nineteenth session of UN/CEFACT for
information. As requested by the Plenary, it was prepared by the Bureau Vice-Chair with
Programme Development responsibilities for Methodology and Technology in response to
UN/CEFACT decision 12-11 as recorded in the summary report of the eighteenth session
(ECE/TRADE/C/CEFACT/2012/12, p.5, para. 30):
“The Plenary discussed draft Recommendation No. 37 on Signed Digital Document
Interoperability (ECE/TRADE/C/CEFACT/2010/14/Rev.1 available in English,
French and Russian). The Plenary recognized that the project team had completed the
Open Development Process (ODP) before submitting draft Recommendation 37 to the
December 2010 Plenary and subsequent revisions 2 up until November 2011. The
Plenary thanked the team for their work. The Plenary decided:
• that the process would continue under the direction of the Bureau Vice-Chair
responsible for Methodology and Technology;
• to initiate work to establish a framework for the on-going governance of digital
signature interoperability in coordination with the United Nations Commission on
International Trade Law (UNCITRAL), ISO and other relevant organizations;
• to request that the structure of this framework be established by November 2012,
and;
• to include in the structure a plan that will enable Draft Recommendation 37 [Signed
Digital Document Interoperability] to be put before the Plenary for intersessional
approval. (Decision12-11).”
2. To summarize the events since February 2012, the Bureau Vice-Chair drafted this
information note, and in preparing it pursued informal contacts with the United Nations
Commission on International Trade Law (UNCITRAL), the International Organization for
Standardization (ISO) and other organizations. As the discussions remain ongoing, it was
not possible to conclude them by the Plenary’s requested date of November 2012.
3. On the other hand, the last point raised by the Plenary has already been addressed; as
the Project Team for the revision of Recommendation 14 (Authentication of Trade
Documents by Means Other Than Signature) envisages that the work on draft
Recommendation 37 will be included as one of the annexes to Recommendation 14 when it
is published.
4. This informal document is presented under item 3 of the draft agenda of the
nineteenth session of UN/CEFACT as part of the Bureau overview of recent developments.
Following any Plenary discussion, further steps may be taken towards addressing Decision
12-11.
II. Scope
5. This document proposes a possible framework for the governance of digital
signature interoperability recommendations and standards. Possible coordination with
UNCITRAL, ISO and other organizations may be considered later on.
6. The framework mainly aims to set out possible conditions for achieving the
interoperability of digital signatures for international trade by describing the roles and
responsibilities for the governance of relevant standardization efforts.
ECE/TRADE/C/CEFACT/2013/MISC.2
4
7. It is based on three fundamental principles: non-discrimination, technology and
geographic neutrality and functional equivalence. However, it should be pointed out that as
some of the issues discussed refer to the application of a specific type of technology –
digital signatures – the focus is, by definition, not technology-neutral.
8. It does not promote or endorse the use of digital signatures. Its purpose is to raise
awareness of work going on in relevant standardization organizations which may encourage
greater interoperability of digital signatures if used for cross-border trade.
9. The proposed framework could be applied when developing all UN/CEFACT
Recommendations and Business Standards in the areas of authentication, security, integrity,
non-repudiation and reliability for the exchange of business documents used in international
trade.
10. It also identifies possible roles and responsibilities that may involve others outside
of UN/CEFACT.
11. It could be promoted to organizations with those roles and responsibilities.
12. A key condition of such arrangements would be the provision of standards
unencumbered by licence fees.
III. Terminology
13. In this documentation, the following terms are defined:
(a) An electronic signature is data in electronic form, affixed to or
logically associated with, a data message, which may be used to identify the
signatory in relation to the data message and to indicate the signatory’s intention in
respect of the information contained in the data message (see Article 2 (a) of
UNCITRAL Model Law on Electronic Signatures and Article 9 of United Nations
Convention on the Use of Electronic Communications in International Contracts).
(b) A digital signature is one type of electronic signature. “Digital
signature” is a name for technological applications using asymmetric cryptography,
also referred to as public key encryption systems, to ensure the authenticity of
electronic messages and guarantee the integrity of the contents of these messages.
This is commonly implemented using a set of services collectively known as a
Public Key Infrastructure (or PKI). The digital signature is widely regarded as a
particular technology for “signing” electronic documents. However, it is at least
questionable whether, from a legal point of view, the application of asymmetric
cryptography for authentication purposes should be referred to as a digital
“signature”, as its functions go beyond the typical functions of a handwritten
signature. The digital signature offers means both to “verify the authenticity of
electronic messages” and to “guarantee the integrity of the contents.” Furthermore,
digital signature technology does not merely establish origin or integrity with
respect to individuals as is required for signing purposes, but it can also authenticate,
for instance, servers, websites, computer software or any other data that is
distributed or stored digitally, which gives digital signatures much broader use than
an electronic alternative for handwritten signatures.1
1 Babette Aalberts and Simone van der Hof, Digital Signature Blindness: Analysis of Legislative
Approaches toward Electronic Authentication (November 1999), p. 8, available at
ECE/TRADE/C/CEFACT/2013/MISC.2
5
IV. Digital signature interoperability
14. Interoperability of digital signatures aims at increasing the level of interoperability
of digitally signed information as a means of facilitating paperless international trade. This
includes the cross-border recognition of foreign digital signatures.
15. Recent activities in the area of standardization to support interoperability of digital
signatures have led the UN/CEFACT Plenary to realize that the international trade
environment lacks a recognized framework for developing these standards and
recommendations.
16. This document provides the Plenary with a possible framework based on the
principles of interoperability being identifiable as separate layers: legal, business
requirement and technical.
17. The principal requirements for trust in the exchange of business documents used in
international trade are summarized in the following table and shown diagrammatically in
the figure:
Area Responds to the question Possible Agency
Responsible Examples
Legal
Is this enforceable in law?
Do the signed digital data
and the electronic signature
meet the legal requirements?
UNCITRAL
UN Electronic
Communications
Convention2, Model
Law on Electronic
Signatures
Business
requirements
Are these data acceptable to
my business operations? UN/CEFACT
UNECE
Recommendation
14
Process Is this a valid business
relationship? UN/CEFACT
Business Document
Header
Semantics Is the content consistent with
my understanding? UN/CEFACT UNTDED
Technical Are these data acceptable to my
information system? ISO (and ETSI)
ISO 14533-1 and
14533-2, XAdES,
CAdES, PAdES
http://panel.bogor.net/idkf-wireless/aplikasi/hukum/digital-signature-blindness-11-1999.pdf
(accessed on 8 May 2013).
2 Official title: United Nations Convention on the Use of Electronic Communications in International
Contracts. It came into force on 1 March 2013.
ECE/TRADE/C/CEFACT/2013/MISC.2
6
Figure: Possible governance model
18. Such a framework may be further developed as a candidate for inclusion as an annex
to the Memorandum of Understanding on eBusiness.
A. Legal and cross-border recognition
Proposed possible overall responsible role:
United Nations Commission on International Trade Law
Aim: To review proposed standards and recommendations regarding the legal aspects of
using digital signatures (including cross-border recognition of digital signatures) for
consistency with UN international texts and documents
19. UNCITRAL is the core legal body of the United Nations system in international
trade law. One of its aims is to harmonize rules on commercial transactions by providing
legislative guidance. It has been a pioneer in developing legal standards on electronic
commerce and many of its texts have influenced a great number of jurisdictions.3
20. These texts include the 1995 UNCITRAL Model Law on Electronic Commerce,
2001 UNCITRAL Model Law on Electronic Signatures and 2005 United Nations
Convention on the Use of Electronic Communications in International Contracts. With the
increased use of electronic communications in international trade, almost all of the
UNCITRAL Working Groups (currently six) have considered or are considering related
issues when deliberating their respective topics.
21. The increased use of electronic authentication techniques as substitutes for
handwritten signatures and other traditional authentication procedures has created a need
3 See http://www.uncitral.org/uncitral/uncitral_texts/electronic_commerce.html
ECE/TRADE/C/CEFACT/2013/MISC.2
7
for a specific legal framework to reduce uncertainty as to the legal effect that may result
from the use of electronic signatures. The risk of diverging legislative approaches to
electronic signatures in various countries calls for uniform provisions to foster their legal
harmonization, as well as their interoperability.
22. In considering uniform rules on electronic signatures, UNCITRAL has examined
various electronic signature techniques currently being used or still under development. The
common purpose of those techniques is to provide functional equivalents to (a) handwritten
signatures and (b) other kinds of authentication mechanisms used in a paper-based
environment (e.g. seals or stamps).
23. Article 9, paragraph 3, of the Electronic Communications Convention is based on
the recognition of the functions of a signature in a paper-based environment. It considers
the following functions of a signature: (a) to identify a person; (b) to provide certainty as to
the personal involvement of that person in the act of signing; and (c) to associate that
person with the content of a document.
24. Alongside the traditional handwritten signature, several procedures (e.g. stamping
and perforation)—sometimes also referred to as “signatures”—provide varying levels of
certainty. In theory, it may seem desirable to develop functional equivalents for the
different types and levels of signature requirements. In this way, users would know exactly
the degree of legal recognition that could be expected from the use of the various means of
authentication.
25. Any attempt, however, to develop rules on standards and procedures to be used as
substitutes for specific instances of “signatures” could create the risk of tying the legal
framework to a given state of technical development.
26. The Convention, therefore, does not attempt to identify specific technological
equivalents to particular functions of handwritten signatures. Instead, it establishes the
general conditions under which electronic communications would be regarded as
authenticated with sufficient credibility and would thus be enforceable in the face of
signature requirements.
27. Paragraph 3(a) of article 9 establishes the principle that in an electronic environment
the basic legal functions of a signature are performed by a method that not only identifies
the originator the communication but also indicates the originator’s intention vis-à-vis the
information it contains.
28. UNCITRAL texts relating to electronic commerce, as well as a large number of
other legislative texts, are based on the principle of technological neutrality and therefore
aim at accommodating all forms of electronic signature.
29. Given the pace of technological innovation, the Convention provides criteria for the
legal recognition of electronic signatures irrespective of the technology used. The following
are some examples:
• digital signatures relying on asymmetric cryptography
• biometric devices
• symmetric cryptograph
• use of PINs
• use of “tokens” as a way of authenticating electronic communications through a
smart card or other device held by the signatory
• digitized versions of handwritten signatures
• signature dynamics
ECE/TRADE/C/CEFACT/2013/MISC.2
8
• other methods, such as clicking an “OK box”.
30. Electronic signatures may take the form of “digital signatures”, often generated
within a public-key infrastructure where the functions of creating and verifying the digital
signature are supported by certificates issued by a trusted third party.
31. Although the use of such “digital signatures” may be prevalent in some countries,
various other devices, also covered in the broad notion of “electronic signature”, may
currently be used or considered for future use, with a view to fulfilling one or more of the
functions of handwritten signatures.
32. Therefore, a piece of legislation that requires digital signature as a general standard
for all transactions would not be technology neutral. And this could also hinder cross-
border recognition of electronic signatures and their interoperability.
33. Such difficulties may be avoided with the broader definition of electronic signature
as adopted in UNCITRAL texts, encompassing all existing or future “electronic signature”
methods.
34. As long as the methods used are “as reliable as was appropriate for the purpose for
which the data message was generated or communicated, in the light of all the
circumstances, including any relevant agreement”, they should be regarded as meeting legal
signature requirements.
35. Paragraph 3(b) of article 9 establishes a flexible approach to the level of security to
be achieved by the method of identification used under paragraph 3(a).
36. Legal, technical and commercial factors that may be taken into account in
determining whether the method used under paragraph 3(a) is appropriate, include the
following:
(i) sophistication of the equipment used by each of the parties;
(ii) nature of their trade activity;
(iii) frequency at which commercial transactions take place between the parties;
(iv) kind and size of the transaction;
(v) function of signature requirements in a given statutory and regulatory
environment;
(vi) capability of communication systems;
(vii) compliance with authentication procedures set forth by intermediaries;
(viii) range of authentication procedures made available by any intermediary;
(ix) compliance with trade customs and practice;
(x) existence of insurance coverage mechanisms against unauthorized
communications;
(xi) importance and the value of the information contained in the electronic
communication;
(xii) availability of alternative methods of identification and the cost of
implementation;
(xiii) degree of acceptance or non-acceptance of the method of identification in the
relevant industry or field both at the time the method was agreed upon and the time when
the electronic communication was communicated;
(xiv) any other relevant factor.
ECE/TRADE/C/CEFACT/2013/MISC.2
9
37. Paragraph 3(b)(i) establishes a “reliability test” with a view to ensuring the correct
interpretation of the principle of functional equivalence for electronic signatures. The test,
which also appears also in article 7, paragraph 1(b), of the UNCITRAL Model Law on
Electronic Commerce, reminds courts of the need to take into account factors other than
technology. These could include the purpose for which the electronic communication was
generated or communicated, or a relevant agreement of the parties, in ascertaining whether
the electronic signature used was sufficient to identify the signatory.
38. Paragraph 3(b)(ii) also contains a safety clause to ensure that electronic signatures
that have indeed satisfied the function they were meant to serve may not be repudiated.
39. Therefore, a flexible approach based on technological neutrality would probably be
most appropriate to foster interoperability of electronic signatures. Relevant provisions can
be found, for instance, in article 9, paragraph 3 of the Electronic Communications
Convention and article 12, paragraph 3 of the Model Law on Electronic Signatures.
B. Business process and semantics
Proposed possible overall responsible role:
United Nations Centre for Trade Facilitation and Electronic Business
Aim: Providing instruments to promote consistent business practices in the use of digital
signatures for verifying authenticity and guaranteeing integrity of trade documents used in
electronic data exchange
40. A long-held and continuing ambition of UN/CEFACT is to reduce the number of
documents used in the supply chain between business partners both domestic and
international. Where this is not possible because of legal obligation, regulatory requirement
or business need, UN/CEFACT has pursued the objective that the document should not
require a signature to convey the intent of the party originating it or for the recipient to act
on the information contained on it. This is also complementary to the World Customs
Organization’s recent Recommendation on the Dematerialization of Supporting
Documents4.
41. The use of signatures in general (not specifically digital signatures) is mentioned in a
number of United Nations recommendations:
• Recommendation 1. United Nations Layout Key for Trade Documents
• Recommendation 6. Aligned Invoice Layout Key for International Trade
• Recommendation 8. Unique Identification Code Methodology
• Recommendation 14. Authentication of Trade Documents by means other than
Signature
• Recommendation 26. The Commercial Use of Interchange Agreements for Digital
data Interchange
42. In August 2012, the Bureau approved a project to revise Recommendation 14. This
project aims first and foremost to remove the requirements for a signature when it is not
essential for the trade document and/or transaction. It further recommends that equal status
be given to other methods to authenticate documents when the signature is considered
necessary.
4 http://www.wcoomd.org/en/about-us/legal-
instruments/recommendations/~/media/B45AE03562BF4B2EA06DEEECE556EAC3.ashx
ECE/TRADE/C/CEFACT/2013/MISC.2
10
43. The revised Recommendation 14:
• Establishes a base vocabulary on the subject (in close alignment with UNCITRAL
works).
• Studies the use of signatures on trade documents both from a business and a legal
point of view and advocates for the establishment of a regular review of trade
documents and the needs for authentication on these documents.
• Identifies aspects of electronic authentication methods and key elements to consider
in choosing these.
44. The revised Recommendation 14 also includes the following:
• Removal of the requirement for a signature except where essential for the function
of the document.
• Introduction of other methods to authenticate documents.
• Creation of a legal framework that permits and gives equal status to authentication
methods other than signature.
• Regular review of documentation used for domestic and cross-border trade, possibly
by a joint public and private sector effort.
45. Moreover, the revisions to Recommendation 14 also aim at providing a
recommendation text that would be universal and durable in time, accompanied by two
different types of annex to be updated in the light of any future evolutions of the legal
framework or technical advances. In particular, the Recommendation and its guidelines will
be accompanied by:
• Checklists for the implementation of electronic signatures and other means of
electronic authentication (legally enabling environment, functional requirements,
etc.).
• Repository of case studies of existing technological solutions— either from the point
of view of a legal framework or their functional implementation —or ideally both.
46. The work on Signed Digital Document Interoperability (previously known as draft
Recommendation 37) identified rules for parties who have mutually agreed to use digital
signatures. To achieve this goal, the draft Recommendation defined a set of requirements
that addressed the organization and relationships between the signed content, signatories’
certificates and signatures. These requirements will be incorporated into examples of best
practice for inclusion in the annex of case studies of existing technological solutions as part
of the revisions to Recommendation 14. Therefore they do not need to be provided as a
separate Recommendation.
47. As well as having the reliable identification, authentication and authorization of the
digital data involved in cross-border trade documents, it is also critical to establish trust in
the reliability, traceability and integrity of the various data exchange services (such as
message handling systems) that may be used to transport the digital data.
48. This level of trust addresses issues such as:
• If a trading party receives electronic data from a foreign infrastructure or service,
how can they trust that the data is from whom it claims to be from and that the
information is authentic?
• If a trading party sends electronic data to a third party, how can they trust that it will
be securely delivered without corruption and only to the intended recipient?
ECE/TRADE/C/CEFACT/2013/MISC.2
11
49. To address this requirement, UN/CEFACT is also preparing a proposal to develop a
“Recommendation for enabling interoperability between electronic data exchange systems
in domestic and cross border trade”.
50. This project will formulate basic principles and prepare a recommendation on
enabling interoperability between different organizations providing existing and new
electronic trade document data-exchange infrastructures. The goal is to enable global trust
when exchanging electronic trade documents across different trans-boundary scenarios.
51. These recommendations (together with other UN/CEFACT instruments) are
intended to address the governance of specifications relating to the use of digital signatures
as part of the overall business requirements for trusted electronic data exchange of trade
documents (see annex II).
C. Technical recognition
Proposed possible overall responsible role: ISO (and ETSI)
Aim: To establish a set of digital signature format standards required that enable technical
recognition of digital signatures across borders
52. The situation related to standards for technical interoperability of digital signatures
is multi-faceted (there are many standards for certificates, hash algorithms, etc). The
multiplicity of electronic signature standards may make it difficult for a recipient to
technically verify digital signatures. It could sometimes affect the ability of businesses and
administrations to exchange digital data securely among themselves and with their
administrative and financial counterparts.
53. This has resulted in a market where there is:
• A lack of truly interoperable digital signature applications
• A lack of trust in existing frameworks
• Problems with mutual recognition and cross‐border interoperability
54. To address the problem, the European Commission has issued a standardization
mandate (M/460) aiming at achieving the interoperability of digital signatures throughout
Europe by providing a rationalized European digital signature standardization framework to
allow mutual recognition and cross-border interoperability. Annex I describes the scope of
M/460.
55. Mandate M/460 addresses the same issues faced outside of Europe in the global
marketplace. It seeks to create the conditions for interoperability of digital signatures at a
cross-border level by defining and providing a rationalized digital signature standardization
framework. The scope of the M/460 framework is described in annex I.
56. The international community should evaluate the findings of Europe’s M/460
mandate and consider adapting and applying it to global cross-border trade.
57. The standard digital signature implementation formats most pertinent to trade
documents are currently developed and published by ETSI. In particular the focus has been
on three types of digital signature implementations:
• CAdES, CMS Advanced Electronic Signature
• XAdES, XML Advanced Electronic Signature
• PAdES, PDF Advanced Electronic Signature.
ECE/TRADE/C/CEFACT/2013/MISC.2
12
58. ETSI standards through liaison with ISO are developed in coordination with ISO/TC
154, as well as other ISO TCs working in this area, including ISO/IEC JTC/1 SSCs.
59. This has resulted in ISO 14533 - “Long Term Signature profiles for EDI Data and
Electronic Documents” from ISO/TC 154. It neither specifies new technical specifications
about digital signatures nor restricts usage of the technical specifications about digital
signatures that already exist. It defines selected elements from the CMS Advanced
Electronic Signatures (CAdES) and XML Advanced Electronic Signature (XADES)
standards that enable verification of a digital signature over a long period of time.
60. UN/CEFACT has liaison arrangements with ISO and ETSI that can be used to
ensure that business requirements from UN/CEFACT stakeholders are supported through
the technical standardization process.
ECE/TRADE/C/CEFACT/2013/MISC.2
13
Annex I
European digital signature standardization framework
Key:
CSP: Certificate Service Provider:
Providers of Certificates for Trust Services not only relating to Digital
Signatures.
QC: Qualified Certificate:
Certificate provided by a trusted Certification Service Provider.
TSP Trust Service Provider:
Providers of Trust Services not only relating to Digital Signatures.
EN European Norm:
European Standard recognized by the European Commission.
Global
Overview
1. CSPs
ENs on:CSP Conformance Assessment Policy Requirements of CSP issuing QC…..
Guidelines
3. Trust tokenformats
ENs on:Qualified certificate formatTrust status list…………….
Guidelines
4. SignatureCreation &verification
ENs on:Signature creation / verification proceduresSignature formatsSignature algorithms
Guidelines
2. TSPsApplyingeSignatures
ENs on:Registered e-mail and e-delivery, Signing and/or storing data………..
Guidelines
6. SigningDevices
ENs on:Conformity assessment of signature creation devicesSecure signature creation devices……..
Guidelines
5. Conformance &InteroperabilityTesting
ECE/TRADE/C/CEFACT/2013/MISC.2
14
Annex II
How UN/CEFACT addresses the business requirements for trusted electronic data exchange of trade documents